Research: vulnerabilities in industrial control systems in 2014

In the course of NATO's Estonian cyber events in April 2015, it became known that the main cyber division of the North Atlantic Alliance no longer interested in Android devices or webcams: the focus of military hackers shifted towards Windows and SCADA systems.

A month ago, they investigated from Dell that in 2014 there was a twofold increase in the number of malicious programs designed to attack store POS systems and SCADA systems, and today we will also tell you about some figures and observations in the field of industrial control systems (ISC / SCADA), collected by our experts over the past three years.

Industrial control systems in recent years have reached a fundamentally new level thanks to the development of information technology and the Internet. However, a new round of automation has its own problems: the incorrect use of data protection and processing technologies leads to serious vulnerabilities.
')
In this regard, industrial control systems are increasingly becoming targets for cybercriminals and attackers. The individual worms Stuxnet (2010) and Flame (2012) have been replaced by more sophisticated multistage attack schemes. For example, in 2014, for hacking the Havex trojan, hackers hacked into the sites of software manufacturers for managing industrial enterprises (SCADA) and infected official distributions of SCADA systems, which were then installed in enterprises, which allowed attackers to gain control over control systems in several European countries.

In 2012, experts from Positive Technologies released the analytical report “Safety of Industrial Systems in Figures”. Below are the results of our new study, which makes it possible to assess the changes that took place from 2012 to 2015.

Among the general trends that we observe in the process of analyzing the security of an industrial control system, the following can be noted.

Open doors . Many systems that control production, transportation, water, and energy can be found on the Internet using public search engines. As of January 2015, Positive Technologies researchers have discovered in this way more than 140,000 different components of the process control system. And the owners of such systems do not realize how well their resources are “visible from the outside.” We find opportunities for attacks on the automated process control system via kiosk mode and cloud services, via sensors and physical ports, through industrial Wi-Fi and other types of access, which are often not considered at all as threats.

One key to many locks . The rapid growth in the number of organizations implementing the automated process control system, with a limited number of manufacturers, leads to a state where the same SCADA platform is used to manage critical facilities in various industries. For example, our experts have identified vulnerabilities in the system that manages the Large Hadron Collider, several European airports and Iran’s nuclear power plants, the largest pipelines and water supply installations in different countries, trains and chemical plants in Russia. Once found, this vulnerability allows attackers to attack many different objects around the world.

Threats evolve faster than protection . The complex organization of automated process control systems and the requirement of continuity of technological processes lead to the fact that the basic components of control systems (industrial protocols, operating systems, DBMS) become obsolete, but not updated, and their vulnerabilities are not eliminated over the years. On the other hand, the development of automated tools significantly increases the speed of hackers. Within the framework of the contest “Critical Infrastructure Attack” on the PHDays IV forum , within two days , several modern SCADA platforms were cracked, which are used in industrial enterprises.

"Crazy House" . The term automated process control system (automated process control system) appeared in the 80s, when the main objects of automation were large industrial enterprises. However, the cheapening and miniaturization of technology led to the fact that computerized devices that control the life support of buildings, systems for monitoring and distribution of electricity, are actively included in everyday life. At the same time, neither manufacturers nor consumers pay enough attention to the security of these systems: this study shows how many such devices are available via the Internet.

Research methodology

Vulnerability databases (ICS-CERT, NVD / CVE, SCADA Strangelove, Siemens Product CERT, etc.), exploit collections (SAINTexploit, Metasploit Framework, Immunity Canvas, etc.), manufacturers notifications, as well as scientific reports were used to gather vulnerability information. conferences and publications on specialized sites.

The risk of vulnerabilities was determined based on CVSS v. 2. It is necessary to take into account that such factors as lack of typical descriptions of vulnerabilities or disclosure policy affect statistics: often manufacturers underestimate risk or do not disclose information about vulnerabilities at all (for more details about these factors, see the full version of the report). Thus, the real security situation of the process control system can be even worse than our statistics show.

Data collection on the availability of automated process control systems on the Internet was carried out using passive methods, using public search engines (Shodan, Project Sonar, Google, Bing) and port scan results. Data analysis was carried out using a fingerprint database consisting of 740 records, which allow making a conclusion on the manufacturer and version of the product based on the banner. Most fingerprints are related to the SNMP (240) and HTTP (113) protocols, about a third to various industrial protocols (Modbus, DNP3, S7, etc.).

Number of vulnerabilities

In total, the study identified 691 vulnerabilities in the components of the process control system. A sharp increase after 2009 is noticeable: over the next three years (2010–2012), the number of detected vulnerabilities of the automated process control system increased 20 times (from 9 to 192). After that, the average annual number of detected vulnerabilities stabilized (181 in 2014).



Number of APCS vulnerabilities

Vulnerability Analysis

The vulnerability level of identified vulnerabilities also maintains the 2012 trend. The main number of vulnerabilities has a high (58%) and medium (39%) degree of danger .

If we consider the CVSS vectors, then more than half of the vulnerabilities have a high metric on such an important indicator as accessibility . Also high is the rate of remote operation , which together with weak authentication mechanisms increases the risk of attacks.

Since information on the process of eliminating vulnerabilities is not publicly available, the study used data obtained by Positive Technologies experts from manufacturers. The situation looks more depressing than in 2012, when most of the security flaws (about 81%) were promptly eliminated by manufacturers even before they became widely known, or within 30 days after uncoordinated disclosure of information. According to data for the first quarter of 2015, only 14% of vulnerabilities were fixed within three months, 34% were eliminated more than three months, and the remaining 52% of errors were either not fixed or the manufacturer did not report the time for elimination.



Elimination of vulnerabilities of industrial control system

Manufacturer Vulnerabilities

The list of manufacturers leading in the number of vulnerabilities in products has not changed: Siemens (124 vulnerabilities), Schneider Electric together with the company Invensys (96) acquired by it, Advantech (51), General Electric (31). At the same time, the total list of manufacturers with identified vulnerabilities has grown. The diagram below shows companies with the largest number of vulnerabilities; the remaining 88 manufacturers are combined in the “Other” line.



Vulnerabilities in process control systems of various manufacturers (by risk)

Geography of availability and vulnerability of process control systems

In total, the study identified 146,137 components of an automated process control system that can be accessed via the Internet. The most common are systems for building automation Tridium (Honeywell) , as well as power monitoring and control systems, including those based on solar cell technology ( SMA Solar Technology ). The largest number of components available is PLC / RTU , in the second place is the inverter monitoring and control system. This is followed by network devices and HMI / SCADA components.

It is quite natural that the countries - technological leaders have a high level of automation, and therefore the concentration of industrial systems of these countries on the Internet is rather high. The leader, as before, remains the United States (33%) , but the second place is not Italy, but Germany , and with a large margin ( 19% ). Overall, the European Region has shown a marked increase in the Internet availability of industrial systems. On the other hand, in the Asian region, local, little-known in the world market components of the process control system are common, which are not always possible to identify.



Distribution of available process control systems

By analyzing the versions of the available components of the process control system, more than 15,000 vulnerable components were identified. The largest number is in the United States, followed by France, Italy and Germany, which is consistent with the overall prevalence of these systems. On the other hand, it should be noted that few vulnerabilities have been identified in the components most common on the Internet. In general, more than 10% of available process control systems were vulnerable.



Distribution of Vulnerable Components of Process Control Systems by Countries



Distribution of Vulnerable Components of Process Control Systems by Countries

During the information security forum Positive Hack Days (to be held on May 26-27 in Moscow), experts from Positive Technologies will present a detailed report on the results of the study of vulnerabilities in industrial control systems in 2014. In the same place it will be possible to participate in competitions on hacking of industrial control system.